Microsoft Warns on New Windows Zero-Day Hole

Microsoft has released a security advisory about a newly disclosed security hole and proof of concept code, but no attacks yet.

Microsoft released a security advisory on Friday warning users to watch out for a newly disclosed vulnerability in all versions of Windows, one that takes advantage of a common method of transferring media types in email messages.

The hole, called the MHTML protocol handler, is located in a part of all supported versions of Windows, including XP Service Pack 3. By luring a user to visit a malicious site and click on a booby-trapped link, an attack program could send the handler a poisoned script.

While the result of a successful attack on a user would only be to enable "unintended information disclosure" -- rather than compromise the entire system -- the fact that proof-of-concept code and discussions of the hole have already been posted on the Internet raises the urgency level for Microsoft (NASDAQ: MSFT) to warn security professionals pronto.

The advisory provides a client-side workaround. Additionally, the company said it is working on a patch.

"The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists," Angela Gunn, security response communications manager for Trustworthy Computing at Microsoft, said in a post to the Microsoft Security Response Center (MSRC) blog.

Microsoft also supplied a FixIt app that automates installation of the client-side workaround.

.However, that doesn't alleviate the entire problem

"In our collaboration with other service providers, we are looking for possible ways that they can take steps to provide protection on the server side," Gunn added.

While a post to Microsoft's Security Research & Defense blog provides more discussion of server-side mitigations, so far, the company so far is only recommending the client-side workaround.

Microsoft did not give any approximate date for the patch's release.

Microsoft typically releases security patches on the second Tuesday of each month, earning it the epithet "Patch Tuesday." The next one is scheduled for Feb. 8. In order to help security professionals prepare, Microsoft releases an advance notice on the Thursday prior to Patch Tuesday.

In January, Microsoft fixed only three security flaws, but the company has recently had a run of large patch releases.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.